Analisis de Vulnerabilidades con Nessus 


Requisitos: 


e Nessus 3.0 o superior. 
e Windows 2000/XP. 


Descripción: 


Nessus es un popular analizador de vulnerabilidades, utilizado por la mayoría de los 
profesionales de seguridad. 

Para su funcionamiento Nessus incorpora dos componentes, por un lado, el 
servidor, el cual será quien contenga los plugins (actualizaciones) y además será 
quien ejecute finalmente los escaneos, y por el otro lado, un cliente, que será quien 
indique las tareas a ser realizadas por el servidor. Tenga en cuenta que es muy 
común encontrar tanto el cliente como el servidor sobre la misma PC (tal como lo 
realizaremos en este laboratorio). 


Instalación: 
Realice la instalación por defecto de la herramienta, haciendo doble clic sobre el 
archivo ejecutable (Nessus-3.0.6.1). Una vez concluida la instalación, será 
necesaria una conexión a internet para actualizar los plugins. 
Desarrollo: 

1. Inicie la aplicación haciendo doble clic sobre el ícono del escritorio “Tenable 


Nessus” o haga clic en "Inicio > Programas > Tenable Network Security > 
Nessus > Tenable Nessus”. 


2. Haga clic sobre “Start Scan Task”. 


i; Tenable Nessus Vulnerability Scanner BAB 


Nessus LAJ = E 52 a A N Cra eS 
Welcome to Nessus Vulnerability Scanner 


® Welcome Nessus is a complete network vulnerability scanner which includes high-speed checks for 
thousands of the most commonly updated vulnerabilities, a wide variety of scanning 
(4 Start Scan Task options, an easy-to-use interface, and effective reporting. 


> View Reports You can start a new scan by selecting "Start Scan Task", All scan results will be 
automatically saved, and you can open them again by selecting "View Reports". 

Other Options r ; 

Ý This scanner has not been configured for plugins updates. Please consider registering. 

19 Address Book 


a4) Start Scan Task 
Ta” Manage Policies E Start Scan 


@ Update Plugins El] view Reports 
See Also 
@ Help 


@ About Nessus 
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3. Complete con la dirección IP del objetivo del escaneo y a continuación haga 
clic en “Next”. 


i Tenable Nessus Vulnerability Scanner DEK) 


isu Please enter the target you want to scan 
e Welcome You can specify a single host {hostname or IP}, a list of hosts separated by comma, an IP 
range, or a network address, If a DNS name is entered as a target, it must be resolvable 


(4 Start Scan Task by the system in order to be a valid input. (See Examples) 


> View Reports For frequently used addresses, Address Book can help you to manage them (address 
book entries will show up in the drop down list below), 


Other Options 
19 Address Book 


fg Manage Policies 10.0.10.204 B 


Y Update Plugins 


If you want to import target from a file instead, click Here. 


E Next 


See Also 
@ Help 


@ About Nessus 
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4. A continuación se le presentarán cuatro opciones que definirán la forma del 
escaneo. Seleccione "Define my policy” de forma de poder personalizar las 
opciones del escaneo y a continuación haga clic en “Next”. 


i Tenable Nessus Vulnerability Scanner SES 


Nessus : 

Please choose the plugins set you want to use 
e Welcome Nessus uses plugins to do security checks. Most plugins are implemented in nasl (Nessus 
Attack Scripting Language) and perform a particular security check. By selecting plugins, 


Gq Start Scan Task you can define a security check to fit your own needs. 


& VEN RRpORS C Enable all but dangerous plugins with default settings (Recommended) 


Other Options Enable all plugins with default settings (Even dangerous plugins are enabled) 
19 Address Book 

Choose a predefined policy (You should use Manage Policies to create one first) 
fg Manage Policies 


Define my policy (For advanced user) 
Y Update Plugins 


Note: Dangerous plugins may cause Denial of Service to the hostis) being scanned, 
See Also 
@ Help 


Back Next 


@ About Nessus 
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5. Revise las opciones disponibles para el escaneo sobre cada una de las 
solapas. Puntualmente haga clic sobre la solapa “Credentials” y verifique que 
ningun usuario figure sobre el campo “SMB account”, haga lo mismo sobre 
el campo “SMB password”. De esta forma, el análisis se llevará a cabo sin 
ningún tipo de credenciales particulares. Al finalizar, haga clic en “Next”. 


i Tenable Nessus Vulnerability Scanner 


Nessus 
% Welcome 
a Start Scan Task 
EY View Reports 
Other Options 
19 Address Book 
TS” Manage Policies 
Y Update Plugins 
See Also 
@ Help 


@ About Nessus 


EEK) 


View or Change Settings 


General 


Services 


Credentials 


This information enables Nessus to scan remote hosts as if locally connected and « 
determine if critical security patches have been applied. 


SMB account 
SMB password 


SMB domain (optional) 


NV Never send SMB credentials in clear text 


l Only use NTLMw2 


Kerberos Key Distribution Center (KDC) 


Kerberos KDC Port 
Kerberos KDC Transport 
SSH user name 

SSH password (unsafe!) 


SSH public key to use 





[administrator 


m~~ 
~ 
m 


657 


Po amina | reset 


v 


Next 
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6. En el siguiente paso podremos seleccionar qué tipo de escaneos realizar a 
través de la selección de los plugins a utilizar. Esto nos permitirá disminuir la 


cantidad de pruebas que se 


llevarán a cabo durante el 


escaneo, 


disminuyendo la duración del mismo. Seleccione solamente los plugins 
relacionados con sistemas Windows y los servicios que éste brinda (Ej.: 
Windows, Web Servers, Generals, Databases, etc.). A continuación haga clic 


en “Next”. 


i Tenable Nessus Vulnerability Scanner 


Nessus 
% Welcome 
(3 Start scan Task 


> View Reports 


Other Options 
19 Address Book 


fg Manage Policies 


@ Update Plugins 


See Also 
@ Help 


@ About Nessus 


Select plugins to use 
I General 

O Gentoo Local Security Checks 
O HP-U%X Local Security Checks 
Omacos X Local Security Checks 
O Mandrake Local Security Checks 
O Misc. 

Onis 

O Netware 

O Peer-To-Peer File Sharing 

O Port scanners 

Orec 

O Red Hat Local Security Checks 
O Remote file access 

O SMTP problems 

O SNMP 

O Service detection 

O Settings 

O Slackware Local Security Checks 
O Solaris Local Security Checks 
OSsusE Local Security Checks 

O ubuntu Local Security Checks 
O Useless services 

Web Servers 

Windows 

M Windows : Microsoft Bulletins 

M Windows : User management 


Back 





CEK) 








Plut ne 
~ [Sun Java Applet Invocation Version Specification 
MSun Java Runtime Environment DoS 
M7-Zip ARJ File Overflow Vulnerability 
peer LunchApp.APlunch Arbitrary Command Execution 
Vulnerability 
Madobe Acrobat < 6.0.5 
Madobe AcroPDF ActiveX Control Multiple Vulnerabilities 
Adobe Contribute Publishing Server Administrator 
Password Disclosure 
Maádobe Download Manager Detection 
M adobe PDF Plug-In < 8.0 
MaAdobe Reader < 7.0.8 
M Adobe Reader < 7.0.9 
M Adobe Reader Detection 
MAIM Buddy Icon Overflow Vulnerability 
MAIM Detection 
- AIM Smiley Icon Location Denial Of Service 
Vulnerability 
pakamai Download Manager ActiveX Control < 2.2.1.0 
Vulnerabilities 
Manti Virus Check 
Mantivir File Handling Vulnerabilities 
MAOL Instant Messenger is Installed 
| Aol You've Got Pictures ActiveX Control Overflow 
y Vulnerability Pe 


Next 
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7. La siguiente ventana nos pide que seleccionemos un Server Nessus. Debido 
que se utilizara el server de nuestra propia PC, seleccione “Scan from the 
localhost” y haga clic en “Scan now”. 


Tenable Nessus Vulnerability Scanner 


ESS tts Choose a Nessus server 


% Welcome Note: Nessus has a client/server architecture which allows you to scan from a remote 
Nessus server, Please indicate if you want to scan from local host, If not, please provide 


Gq Start Scan Task the login information of the remote Nessus server, 


@ View Reports © Scan from the localhost 


‘ C 
Other Options Scan from a remote Nessus server 


19 Address Book Name or IP address: 


Username: | 


@ Update Plugins pisces 


See Also 
@ Help Back Scan now 
@ About Nessus 





fg Manage Policies 
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8. Una vez concluido el análisis, se le presentará un informe a través del 
browser. Revise la información obtenida. 


$ Tenable Nessus Security Report - Microsoft Internet Explorer 








Archivo Edición Ver Favoritos Herramientas Ayuda ay 
Q Atrás ( >) |x] E A JO Búsqueda Sie Favoritos & B- S 3 
Dirección |Æ) C:\Documents and Settings\lreveand\Tenable\Nessus\reports\html\current_report.xml, view_by_host.xsl.htm ¥ gr vínculos 7” O Snagit Sp 














Start Time: Fri Oct 26 17:25:41 2007 Finish Time: | Fri Oct 26 17:27:06 200 

















| (@g10.0.10.204 14 Open Ports, 32 Notes, 5 Warnings, 17 Holes. 











epmap | x A security vulnerability exists in the Messenger Service that could allow 
(135/udp) | arbitrary code execution on an affected system, An attacker who successfully 
exploited this vulnerability could be able to run code with Local System 
privileges on an affected system, or could cause the Messenger Service to fail. 
Disabling the Messenger Service will prevent the possibility of attack. 


This plugin actually checked for the presence of this flaw. 


Solution: see http://www. microsoft.com/technet/security /bulletin/ms03-043 mspx 


Risk Factor : High 

CVE : CVE-2003-0717 

BID : 8826 

Other references : IAV4:2003-4-0028, IAV4:2003-a-0017, 1844:2003-b-0007, OSVDB:10936 
Plugin ID : 11890 

















 ms-sql-m E The remote host MS SQL server is vulnerable to several overflows which could 
(1434 fudp) be exploited by an attacker to gain SYSTEM access on that host, 


Note that a worm (sapphire) is exploiting this vulnerability in the wild. 


Solution: http://www microsoft.com/technet/security/bulletin/msO2-061.mspx 


Risk Factor : High 
CYF + CVF-29N2-1137. CVF-9NN?-1138. CVF-2nN?-NA49. CVF-2NN2-NASN. CVF-2NN?-1145. CVE-2002-044. CVF-2NN?-NA4S. CYF-2NN2-N721 


e | | @ mipc 


I8 


9. Realice un nuevo escaneo, pero esta vez incluyendo las credenciales del 
administrador y verifique la información obtenida. ¿Es similar a la obtenida 
en el primer escaneo? 


